Java stir puts Sun in a spot

A flaw in Sun Microsystems' Java software has highlighted the difficulty the company faces as flocks of tech novices start to turn to it for support.

Sun disclosed a serious security flaw in its Java virtual machine software last month. The rare problem, which affects Sun's plug-in for running Java on a variety of Web browsers and operating systems, could allow a virus to spread through PCs running both Microsoft Windows and Linux.

News.context

What's new:
Firefox users who attempted to download patched Java software got the flawed version instead.

Bottom line:
Sun is working on fixing the problem, but the issue highlights the difficulty the company faces as tech novices turn to it for support.

More stories on this topic

A flaw-free version of the JVM software is available on Sun's Web site, and the company is encouraging people to download it. But some users of the Firefox Web browser who attempted to download the new software received a version that contained the vulnerability, Sun representatives told CNET News.com.

On Tuesday, Sun was in the process of updating the download pages on Java.com and its download site to fix that problem, having previously said it would make the change Dec. 13.

Sun said the mix-up in support arose because it had not had a chance to update the download features for Firefox. It also said that it first concentrated on developing a patch for the more pervasive browsers--Microsoft's Internet Explorer, Netscape and Mozilla.

Even people with those browsers might not have had an easy ride. Some said they have had difficulty working out from Sun's Web site how to get and use the patch. "Sun has a page that documents the bug but then just sends someone off to a download of the latest release, with no clear guidance as to whether it is OK to just install that on top of whatever someone has on their system already," one user, who described himself as "fairly computer-savvy," wrote in an e-mail to CNET News.com.

Plugging the Java leak

How to make sure the hole in Sun's code for Java in browsers doesn't spread to your system.

Does this affect my PC?
If you are running Windows or Linux and have Sun's Java plug-in installed, you may be vulnerable to this flaw.

How do I check whether the plug-in is on my PC?
Check the Control Panel in Windows. If you have Java installed, an icon will be available to get more information. Linux users will have to search their computer for the term "j2re" and "plugin."

What are the risks?
A malicious Web site could install a program to take control of your PC without your knowledge. A link to the site could be disguised as a link to some other site and sent via e-mail or instant message.

What should I do?
Patch your computer by going to Sun's Java page. Click on the button in the top-left green box, which leads to a free Java download. The software will start downloading automatically onto Windows PCs.

Source: Sun Microsystems and CNET News.com.

The problems underscore an emerging issue for Sun. A greater number of Web users--many of them new to computers--are turning to the server specialist for the Java virtual machine software. The technology is used by Web developers to create small programs, or applets, that can run on any operating system.

The impact of the influx will be heightened by a 2001 patent deal between Sun and Microsoft. As a result of the settlement, Microsoft discontinued shipments of its own Java plug-in in all its new products last year. It plans to halt its support by Dec. 31, 2007.

A Sun representative said the Santa Clara, Calif.-based company recognizes that more people will be relying on it for Java updates and that it is planning a revamp of its Web site. "What started as a utilitarian site for Sun Java users has turned into a consumer site today. We are continuing to invest in it," said Craig Miller, Java.com program director at Sun.

To date, an estimated 40 percent of people with the Java plug-in have updated their security-flawed version to the patched 1.4.2_06 version, which has racked up 2.2 million downloads since its Oct. 11 release.

People can get the download at the Java.com site or at Sun's download site. Searches on Yahoo, Google and other sites for the plug-in are redirected to Sun's sites.

The comfort factor
Industry analysts note that Sun is more comfortable dealing with the big companies and technology-savvy customers that typically buy its servers and software.

"Sun has been an infrastructure company for the most part...so I would say that they still have a lot to do to improve the whole user experience," said Roger Kay, an IDC analyst. "The good news is that Sun has some time before Microsoft has pulled out of the picture entirely."

However, Microsoft is no longer involved in new Java plug-ins. Sun now supplies more than 60 percent of PC makers with the most recent version of Java, Miller said.

In addition, Java.com receives a large amount of traffic from Microsoft, which is in the top 10 list of sites that redirect inquiries for a Java plug-in to Sun, Miller said.

Sun plans to launch a Java.com revamp by the middle of next quarter. And in the meantime, the company plans to tweak its auto-update feature when it releases a new update feature for Firefox users, said Laura Ramsey, a Sun representative.

But the auto-update feature will not automatically download the latest version of the Java software without some input from the user, Miller said. Sun typically requires that people take action to download updates if they are not logged on to their computer at the precise date and time when new updates are available.

"Sun is adamant about its sensitivity to users' privacy and security. We would rather have users opt in than opt out," Miller said. "So we're loath to have an automatic download, unless a user requests it. It has always been our strategy to err on the side of caution."

Sun noted that while Firefox is gaining in popularity, the browsers still represent a small percentage of the total number of machines that use Java plug-ins.

Analysts say consumers appreciate it when some of the thinking is done for them. That's a switch that Sun may need to make.

"Companies--I don't care what area they are in, if they are catering to consumers, they need to reduce the number of choices a consumer has to make," analyst Kay said.

"The issue is the culture of the company," Kay added, noting that it's a leap for Sun to move from dealing with code-aware customers to less-knowledgeable consumers. "They have their work cut out for them."

Tragic

What has this world come to when a company isn't willing to do the thinking for its customers?

MS is used to dealing with idiots, in fact their entire business is based around those morons.

At least issues with the JVM is rare, so users having to spend 5 seconds thinking will just have to deal and be happy.

[201293546946733175101343322673]

I can't believe that analyst just said that!

"'Companies--I don't care what area they are in, if they are catering to consumers, they need to reduce the number of choices a consumer has to make,' analyst Kay said."

That is amongst the stupidest comments I've ever heard made by an analyst. Nice work Kay!

I can't believe your comment

I can't believe your ignorance to the human-computer interaction field, their studies, and their conclusions.

Don't forget to select the correct version of the JRE

Two things puzzled me about Sun's method of updating software: even though jusched.exe is running regularly on my Windows XP machine, it didn't pick up the 1.4.2_06, so I had to download and install it manually. Second, after installing it, I was still running the older JRE. This is how I changed it to the latest version.

After downloading and installing the JRE 1.4.2_06 update from Sun's Java website, I had to select that version of the Java Runtime Environment (JRE) manually in the Java Plug-In Control Panel. That panel resides in the Windows Control Panel. Select the "Advanced" tab from the Java Plug-In Control Panel, and select J2RE 1.4.2_06 from the drop-down listbox. Next, click on the "Apply" button. To make sure this was done correctly, click on the "About" tab and check that 1.4.2_06 is shown under Runtime Environment. Now, my applets that failed before run correctly.

I hope that the cooperation between SUN and Microsoft results in mutual education. SUN should show more about how Java works, and Microsoft can teach SUN a few things about automatic updating. In the past, when I administered SUN workstations, applying patches was a major effort that sometimes involved technical support calls. My Windows XP Pro machine and my 2003 server have used (automatic) WIndows Update since I deployed these machines. Patch management is no longer a dark art, nor should it take as much effort as SUN is asking us with Java. It is not that I am not able to do it, it is just that doing the same manual steps on dozens of PC's is tedious and should be unnecessary with a properly designed jusched.exe process.

[ari_fan]

legitimate redirect?

The link to Sun's Java page in the "What should
I do?" section is redirected to dw.com.com. Is
that a data collection point of some kind,
or is it something to be concerned about?

[Yoshihama1]

Easy fix for Firefox users

If you do use Firefox, and are concerned about this, you can go to Options > Web Features and uncheck the box labeled Enable Java.

[Mel7]

Pathetic Customer support from Sun

Manually updating from 1.4.2_05 still just comes back saying you have the current version. Boy they are really on top of things. It always amazes me that small businesses and independent developers are almost always more on top of things than all these megalothic (MS, Sun, Symantec, etc) that have umpteam thousand employees doing nothing.